2 files changed, 30 insertions, 0 deletions

diff --git a/trust/Makefile.am b/trust/Makefile.am
index 4a3430c..6c2c7c8 100644
--- a/trust/Makefile.am
+++ b/trust/Makefile.am
@@ -56,5 +56,9 @@ libtrust_testable_la_LDFLAGS = \
 
 libtrust_testable_la_SOURCES = $(MODULE_SRCS)
 
+externaldir = $(privatedir)
+external_SCRIPTS = \
+	p11-kit-extract-trust
+
 EXTRA_DIST = \
 	p11-kit-trust.module
diff --git a/trust/p11-kit-extract-trust.in b/trust/p11-kit-extract-trust.in
new file mode 100755
index 0000000..c7214e9
--- /dev/null
+++ b/trust/p11-kit-extract-trust.in
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# This script is a placeholder designed to be replaced when this software
+# has been customized for distribution. It should be symlinked linked to the
+# distribution's update-ca-certificates or update-ca-trust command as
+# appropriate. In the future this script will be called when the PKCS#11
+# trust module is used to modifiy trust anchors and related data.
+
+if [ $# -ne 0 ]; then
+	echo "usage: p11-kit extract-trust" >&2
+	exit 2
+fi
+
+echo "p11-kit: the placeholder extract-trust command has not been customized by your distribution." >&2
+
+# You can use commands like this to extract data from trust modules
+# into appropriate locations for your distribution.
+#
+# p11-kit extract --format=openssl-bundle --filter=ca-anchors \
+# 	--overwrite /tmp/openssl-bundle.pem
+# p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite \
+# 	--purpose server-auth /tmp/server-auth-bundle.pem
+# p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite \
+# 	--purpose server-auth /tmp/cacerts
+
+exit 1